New Worm?

[Arta]

Snort is picking up these packets as traffic from some hacking tool called 'CyberKit'.

[Arta]

Just started getting traffic from hosts not on my ISP's subnet.

[Arta]

This is a (new?) worm: http://isc.sans.org/diary.html?date=2003-08-18

Edit:

Better information here: http://vil.nai.com/vil/content/v_100559.htm

Looks like I was right

[Newby]

Holy shit. Owned.

12/13/2003 09:17:57.864   ICMP packet dropped   68.107.168.85, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:16:41.848   ICMP packet dropped   68.105.109.113, 8, WAN   MYIP, 8, LAN   'Ping'   0
12/13/2003 09:13:03.928   ICMP packet dropped   68.104.16.103, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:11:55.784   ICMP packet dropped   68.105.158.169, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:09:47.672   ICMP packet dropped   68.104.246.20, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:07:16.000   ICMP packet dropped   68.109.156.174, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:04:55.912   ICMP packet dropped   68.107.164.29, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:02:46.256   ICMP packet dropped   68.110.183.111, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:58:07.624   ICMP packet dropped   68.110.213.190, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:56:18.400   ICMP packet dropped   68.104.118.29, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:54:54.128   ICMP packet dropped   68.109.210.127, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:53:01.592   ICMP packet dropped   68.105.199.189, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:51:30.848   ICMP packet dropped   68.108.224.238, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:49:47.304   ICMP packet dropped   68.105.236.140, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:47:52.512   ICMP packet dropped   68.107.133.66, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:45:49.624   ICMP packet dropped   68.109.221.210, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:42:49.512   ICMP packet dropped   68.107.182.27, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:39:58.816   ICMP packet dropped   68.109.51.149, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:35:33.544   ICMP packet dropped   68.107.248.14, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:32:16.256   ICMP packet dropped   68.110.146.245, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:30:48.864   ICMP packet dropped   68.104.223.192, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:27:51.928   ICMP packet dropped   68.110.140.26, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:26:12.592   ICMP packet dropped   68.104.212.181, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:24:01.064   ICMP packet dropped   68.107.156.238, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:21:58.032   ICMP packet dropped   68.110.122.140, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:20:38.528   ICMP packet dropped   68.106.195.244, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:19:00.336   ICMP packet dropped   68.108.74.222, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:16:44.528   ICMP packet dropped   68.110.244.9, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:14:36.272   ICMP packet dropped   68.107.182.27, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:12:21.304   ICMP packet dropped   68.110.127.173, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:09:36.032   ICMP packet dropped   68.104.171.104, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:08:19.912   ICMP packet dropped   68.105.65.89, 8, WAN   MY IP, 8, LAN   'Ping'   

[j0k3r]

Self removal
When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

Hmm, where have we seen that before?

[Yoni]

Self removal
When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

Hmm, where have we seen that before?

Ah, whew. It's just Welchia. It'll be dead in 2.5 weeks.

[iago]

This worm looked pretty thoughtful, since it deletes itself and installs patches and stuff, then it installed tftpd